How do I setup ServiceNow to auto recalculate risk score of VIT records when EPSS score is Updated

dan167 · ‎03-18-2025

How do I setup ServiceNow to auto recalculate risk score of VIT records when CVE fields like EPSS score are updated to a new score.

We have our risk calculator using Vul EPSS score, Vul severity, Vul access complexity v2, Vul exploit exists, Vul Attack Vector v3, CI data classification (custom field). So we want the risk score to be recalculated whenever one of these fields are updated.

I have updated the BR "Set recalculate flag" to look for changes in the fields we are targeting for our risk rule calculator but it does not appear to be changing the risk score unless I manually reapply the calculator or click the UI action to manually calculate the risk score.

Is there something I am missing here?

andy_ojha · ‎03-24-2025

Hey there - it's using the same Business Rule flavor and logic that you referenced on your original post.

Business Rule = "Set recalculate Flag"
- Looks for changes in fields like Vuln Severity, Exploit Exists, Exploit Skill Level, Tenable VPR
Business Rule = "Set recalculate Flag (CISA)"
- Looks for changes on the CISA KEV value

Both of those Business Rules run on the base Vulnerability Entry (sn_vul_entry) table (which the Third-Party Entry table extends from).

They both will update a field called "Run vulnerability calculator", and set it the "True" - if the Business Rules pick up a particular change.

Then - the Scheduled Job, will find the Vuln Entry records with the "Run vulnerability calculator" set to <True>, by those Biz Rules (because something notable changed) > then find the related Vulnerable Items and run them through your configured Risk Scoring Calculators.

Once those Vuln Entry records are accounted for > their "Run vulnerability calculator" field will transition from <True> back to <False>.

Can you check your records on the [sn_vul_entry] table, and personalize your columns to include the "Run vulnerability calculator" field to be visible?

You'll want to validate that your custom Biz Rule follows the logic of the 2 other Biz Rules mentioned above, and they are setting that field "Run vulnerability calculator" to <True> on the Vuln Entry records.

View solution in original post

andy_ojha · ‎03-19-2025

Hey there,

How are you testing this out?

After the value changes on your Biz Rule fires -> are you seeing the "Run vulnerability calculator" flag get set to True, on the Vulnerability Entry record?

Are you executing the Scheduled Job named "Run severity calculator after vuln entry promotion" -- or waiting for it to run at it's scheduled interval?

That Scheduled Job is what is needed to go look for Vulnerability Entries that have the "Run vulnerability calculator" set to True (when your Biz Rule fires as a value like CISA KEV, EPSS, etc change). It finds the Vulnerability, and runs any related Vuln Items through your Risk Calculator again... Then, it sets the "Run vulnerability calculator" flag back to False on the Vulnerability Entries. I believe it is set to run daily at 00:00 (local) on your instance by default.

dan167 · ‎03-24-2025

Where would I go to see that field set to true? I didn't find a field on the vit table for that. I think I also looked at records on nvd table.

Also the job is set to run at 2am. I have ran it manually and let it run automatically.

andy_ojha · ‎03-24-2025

Hey there - it's using the same Business Rule flavor and logic that you referenced on your original post.

Business Rule = "Set recalculate Flag"
- Looks for changes in fields like Vuln Severity, Exploit Exists, Exploit Skill Level, Tenable VPR
Business Rule = "Set recalculate Flag (CISA)"
- Looks for changes on the CISA KEV value

Both of those Business Rules run on the base Vulnerability Entry (sn_vul_entry) table (which the Third-Party Entry table extends from).

They both will update a field called "Run vulnerability calculator", and set it the "True" - if the Business Rules pick up a particular change.

Then - the Scheduled Job, will find the Vuln Entry records with the "Run vulnerability calculator" set to <True>, by those Biz Rules (because something notable changed) > then find the related Vulnerable Items and run them through your configured Risk Scoring Calculators.

Once those Vuln Entry records are accounted for > their "Run vulnerability calculator" field will transition from <True> back to <False>.

Can you check your records on the [sn_vul_entry] table, and personalize your columns to include the "Run vulnerability calculator" field to be visible?

You'll want to validate that your custom Biz Rule follows the logic of the 2 other Biz Rules mentioned above, and they are setting that field "Run vulnerability calculator" to <True> on the Vuln Entry records.

dan167 · ‎03-24-2025

Thanks for your reply.

I have found the run vulnerability calculator field on the sn_vul_entry table and I have about 162 records with that field set to true. I have also found a CVE that is linked to open VIT records. I am monitoring those VIT records to see if their risk score changes.